Tawk.To Live Chat Security & Risk Analysis

The tawkto-live-chat plugin version 0.9.3 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and having no critical or high severity taint flows, there are significant concerns regarding its attack surface. The plugin exposes two AJAX handlers without authentication checks, making them prime targets for unauthorized access and potential manipulation. Additionally, only 54% of output is properly escaped, leaving room for cross-site scripting (XSS) vulnerabilities in certain scenarios.

The vulnerability history reveals a past high severity issue related to missing authorization, which aligns with the current findings of unprotected AJAX endpoints. The lack of currently unpatched vulnerabilities is a positive sign, suggesting that previous issues have been addressed. However, the pattern of past authorization-related vulnerabilities, combined with the present unprotected entry points, indicates a recurring weakness in how the plugin handles user access control.

Overall, while the plugin avoids critical code-level flaws like raw SQL or dangerous functions, the unprotected AJAX handlers are a notable risk. The historical trend of authorization flaws further emphasizes the need for careful review and hardening of these entry points. This version shows improvement in some areas but still requires attention to its access control mechanisms to reduce its overall risk profile.